Some https sites PR_CONNECT_RESET_ERROR

Hello,
my users receive an PR_CONNECT_RESET_ERROR visiting some websites, I can't understand if these websites have problems with their https certs or if there is some misconfiguration in my HTTPS proxy action but I can't spot where is the problem.
Can somebody help me to fix this?
One of such website is https://www.lapostadelsindaco.it

By now I solved adding an "Allow Any Policy" towards these websites, but I don't like this solution

Thanks

Comments

  • I don't get this error for the above web site, running V12.5.1

    What XTM version are you running & what firewall model do you have?
    Verfify that you have PFS ciphers Allowed on your TLS Profile on your HTTPS proxy.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @uffced

    The error PR_Connect_Reset_error is usually because the TLS profile is not configured correctly on the HTTPS proxy that hit the traffic.

    Please do the following: Go to WSM - Policy Manager - Edit HTTPS proxy that traffic uses - Edit Proxy Action - TLS Profile - Edit. Make sure that the "Perfect Forward Cipher" is set to Allow.

    If the problem persists, I'd suggest opening a case with support so that they can look into your issue.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Hy, we have M300 with XTM 12.4, I checked "Perfect Forward Cipher" and it is set to "Allow" with TLS Compliance "Not Enforced" and OCSP to validate certificates.

  • You should open a support incident to get help from a WG rep in resolving this.

  • Although this site gets an "A" rating here https://www.ssllabs.com/ssltest/analyze.html?d=www.lapostadelsindaco.it&hideResults=on, it still shows weak ciphers and other issues. Maybe one of them is related to your problem or it's a problem with older firmware. I have a T35 running 12.5.1 with HTTPS/DPI enabled and I can access the site just fine.

    Gregg Hill

  • Hello.
    For the moment i also have this issue with M370, 12.5.2 U1. I opened a ticket. WG escalated it yesterday to the second level...

    Regards

    Dirk

  • Hello.
    I've got an answer from support. We using a M370 cluster. I shutdown the backup master and reboot the master. The box create a new cert for the proxy authority. Because I use selfsigned cert here, I create a new cert. This works foy my network.

    Regards

    Dirk

Sign In to comment.